This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos endpoint using high cpu when updating windows

Hi sophos team.
I have an issue with sophos endpoint.
The computer is so lagged when updating windows. Sophos endpoint defense software and sophos file scanner took over 50% cpu, do we have settings to bypass scanning update from window.

The endpoint is the latest version.

task manager



This thread was automatically locked due to age.
  • Thank you for reaching out to the community forum.

    Aside from the Windows update, is there any other activity going on while you experience the issue?

    Also, may we know the specs of the device that has this behavior? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thank you for your reply.

    The specifications are as follows: an Intel Core i3 10th generation CPU paired with 8GB of RAM.

    My user work with Office and Chrome when Windows is updating.

    Are there any additional settings to minimize the background scanning while Windows is updating?

  • Hi  ,

    Can you try applying these Microsoft recommended exclusions, which can also be found in the following knowledge base article - https://support.sophos.com/support/s/article/KB-000033519?language=en_US and see if it helps? You may try excluding the Wsusscan.cab and Wsusscn2.cab files or excluding all .cab files from scanning.

    I suggest creating a temporary Threat Protection policy first, which you can apply to the devices before they update. And then, you can create the exclusions within this temporary policy.

    Let us know how it goes.


    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • I assume all the work is by tiworker.exe which has the "file description" "Windows Modules Installer Worker" which is what this Processes view of TaskManager shows.

    If this process during a Windows update is creating a lot of reg keys/values and files, SSPService is subjected to a lot of regkeycreate and regvaluewrite operations. Plus all the new files. These operations are all journaled.  The activity from SophosFileScanner.exe would suggest many of the files are being scanned as well.

    If you wanted to test the behaviour with tiworker.exe excluded as a process. I.e. it is referenced in OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config once the policy comes down.

    As to if this is a secure approach is another question but, could be tested.